to help enterprise security across Europe
The resource centre for busy senior executives seeking the latest insights into IT Compliance & Privacy issues for major organizations
 
sarbaines oxley ofcom communications regulator
Latest Resources      data protection register
compliance resources privacy resource center

Breaking Global News
Global Compliance and Privacy News
- Breaking News, updated every 30 minutes
•   Compliance, Privacy and Security
•  Money Laundering
•  Phishing
•  Regulatory Issues
•  SOX, Basel 2, MiFID


You Tell Us:
S
S
L

T
E
C
H
N
O
L
O
G
Y
We use SSL Technology for web data entry points:

Always
Sometimes
Never
What is SSL?

News
Are Smartphones Endangering Security? - Wick Hill
Dealing with Internet Security Threats - Ian Kilpatrick
How the New EU Rules on Data Export Affect Companies in and Outside the EU - Thomas Helbing
Farmers' Data Leak Highlights Old Technology Use - Wick Hill
Saving Money with SFTP - Wick Hill
UK Information Commissioner targets firm selling vetting data - Eversheds e80
12 Key Steps to Internet Security - Wick Hill
Telephone Monitoring Legality in the UK - Dechert
Firewall or UTM - Wick Hill
UK Information Commissioner demands mobile device encryption - Eversheds e80
Data loss - liability, reputation and mitigation of risk - Eversheds e80
Phorm, Webwise and OIX - BCS Security Forum
The challenges of PCI DSS compliance - Thales, Russell Fewing
"Quality" Data Vendor Spams us! Editor astounded!
National Gateway Security Survey 2008 - Wick Hill
Unified Threat Management - Watchguard Technologies

news archives
:
0 | 1 | 2 | 3 | 4 | 5 |
6 | 7 | 8 | 9 | 10 | 11 |
12 | 13
[What is this?]

Industry Blogs
Tim Berners Lee's Blog
Tim Callan's SSL Blog
Davis Wright Tremaine's Privacy & Security Law Blog
Emergent Chaos Blog
Michael Farnum's Blog
Phillip Hallam-Baker's Blog - The dotFuture Manifesto: Internet Crime, Web Services, Philosophy
Stuart King's Security and Risk Management Blog
David Lacey's IT Security Blog
Metasploit Official Blog
Jeff Pettorino's Security Convergence Blog
Jeff Richards's Demand Insights Blog
David Rowe's Risk ManagementBlog
Bruce Schneier's Security Blog
Larry Seltzer's Security Weblog
Mike Spinney's Private Communications Blog
Richard Steinnon's Threat Chaos Blog
The TechWeb Blog
Tim Trent's Marketing by Permission Blog
Rebecca Wong 's DP Thinker Blog

Newsletters
23 February Newsletter
Newsletter Archives are located in "News"

Industry Update
Internet Security Intelligence Briefing - November 2005
Find out the latest trends in e-commerce, web usage & the latest threats from adware/Spyware

Reports
Phorm, Webwise and OIX
- BCS Security Forum

'The Any Era has Arrived, and Everyione has Noticed' - Stratton Sclavos - VeriSign
Identity Security - Time to Share
Malicious code threats - iDefense
Public Alerts - updated as they happen from Stopbadware.org
Public Alerts - updated as they happen from Websense
Public Advisories - updated as they happen, from iDefense
Phoraging - Privacy invasion through the Semantic web: a special report by Mike Davies of VeriSign

Legislation
Privacy Laws & Business International E-news, Issue 57
Privacy Laws & Business UNited Kingdom E-news, Issue 60

Security Reviews
February 2007 - VeriSign Security Review
The security review archive is here

Case Studies
Finance Industry
Case Study Example

A case study on a Finance industry company.

White Papers
VeriSign® Intelligent Infrastructure for the 21st Century
VeriSign® Intelligent Infrastructure for Security
VeriSign® Intelligent Infrastructure: An Overview
Identity Protection Fraud Detection Service - description of the service
Life of a Threat - Video on Threat Management Lifecycle
Optimizing Enterprise Information Security Compliance - Dealing with all the audits
For a full list of all whitepapers, visit our Whitepaper library

Legal Notices
Privacy Policy
Terms of use

basel 2 sarbanes oxley
    legislation
data controller notification binding corporate rules BCR data transfer third countries third part data transfer basel 2 regualtor regulation regulate FSA banking network security RSA encryptin algorithm Bits sacked bank staff
Blogs compliance Reports compliancy Legislation Data Protection Case Studies data privacy White Papers data protection act News information commissioner Events security standards Links information security iDefense
Retail Solutions

UK Information Commissioner targets firm selling vetting data

compliance and privacy

Current News Updates

UK Information Commissioner targets firm selling vetting data

The Information Commissioner's Office (ICO) has taken stringent enforcement action against a business that it believes has been selling data about construction industry workers to prospective employees.

The action against the Consulting Association is further evidence of the proactive enforcement activity being adopted by the ICO. It's an interesting case study of the range of powers that the ICO has to:

  • obtaining a warrant to obtain entry
  • issuing enforcement notice to effectively cease using the data
  • the threat of criminal sanctions because they had also failed to register with the ICO.

The impact may well be to close this business down, which is proof that the ICO is far from being a toothless tiger amongst regulators.

Perhaps of greater impact, though, is the involvement of some household names in the case. In a world where the use of vetting seems to be increasing, whether driven by heightened security concerns or otherwise, this provides a cautionary tale.

To some, it will be surprising that some well–known construction businesses have become caught up in this. What isn't known at this stage is how those businesses interacted with the Consulting Association, but it would appear from press reports that they, too, now face investigation by the ICO.

This case highlights a number of key compliance issues in respect of vetting practice but there are some practical steps that can be taken.

  1. First and foremost, vetting should not be done as a general fishing exercise but only to address specific justifiable risks where the information can't be reasonably obtained elsewhere.
  2. Secondly, if you are going to engage in staff vetting it should be done on an open and consensual basis. You should inform the individual about the nature of the investigation being undertaken and what you will do with the information, and get their consent.
  3. You should select with care who you engage to provide information to you. This is because under the legislation it will be the purchaser of that information, as the data controller, who is responsible for ensuring that that information it processes has been collected and is used in compliance with the legislation.
  4. Due diligence should be exercised: ask questions about how they collect their data. If in doubt, don't use it.
  5. Make sure you have a contract for supply of the data and check that it has provisions in it that give you assurances that the information has been collected in a manner which is compliant with the Data Protection Act (DPA) and that its transfer and use by you will also be compliant (preferably supported by an indemnity).
  6. There should be a feedback loop to the individual so that they are aware of the reason for the decision. It's worth remembering, too, that the individual can raise an access request under the DPA to find out what information you have about them.
  7. Be very careful if you are going to place reliance on the information obtained to make the recruitment decision. Is it reliable enough? Some reports suggest that the nature of the information stored may give difficulties for an employer who actually took a decision not to recruit on the basis of the information. For example, if a business decided not to recruit the otherwise best candidate on the basis of their union membership, that could give rise to a claim. If proven (which of course can be difficult), compensation could be substantial.

Guidance has been issued by the ICO under the Employment Practices Code in connection with pre–employment vetting. (View ICO guidance )

If there are some lessons to be learnt from this case, perhaps the main one for employers is to stop and think about whether they need to be vetting and then to ensure that any information they do buy in has been lawfully obtained. If not, they can find themselves on the wrong end of an ICO investigation and, as in this case, unwelcome public relations.

This article is reproduced from Eversheds e80 service. You can find out more about Eversheds e80 and search the Eversheds e80 archive at www.eversheds80.com. e80 is provided by Eversheds for information purposes only and should not be regarded as a substitute for taking legal advice. It is reproduced here by kind permission of and is © Eversheds.

 


This site is independent of all its sources
The contents of the site are sourced from across the industry. All copyrights are acknowledged.